Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my search to get a count by error text?

tkasim
New Member
‎01-11-2016 09:25 PM

Hi everyone,

I am trying to do the following in Splunk, but it's not working:

index=MRM eventtype=MRM_ERROR |
eval Description=case(
like(search, "%error1%"),"error1",
like(search, "%error2%"),"error2"
) | chart count by Description

Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-11-2016 10:06 PM

Are you comparing it with the field ? I mean is search is your field name? If not, substitute search with your field name where error error2 keywords are present.
If you are getting an error or undesired output please mention that too
ie:

index=MRM eventtype=MRM_ERROR |eval Description=case(like(<field_name>, "%error1%"),"error1",like(<field_name>, "%error2%"),"error2") | chart count by Description
Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-11-2016 10:06 PM

Are you comparing it with the field ? I mean is search is your field name? If not, substitute search with your field name where error error2 keywords are present.
If you are getting an error or undesired output please mention that too
ie:

index=MRM eventtype=MRM_ERROR |eval Description=case(like(<field_name>, "%error1%"),"error1",like(<field_name>, "%error2%"),"error2") | chart count by Description
Happy Splunking!
Reply
Solved! Jump to solution

tkasim
New Member
‎01-11-2016 10:10 PM

Hi Renjith

the "search" keyword is not a field. I actually want to search the resultset for those errors...
I am not sure how to point to the resultset. I have zero experience with splunk so please excuse the novice question.

I also tried "rawtext" that too didn't work.

index=MRM eventtype=MRM_ERROR |
eval Description=case(
like(rawtext, "%error1%"),"error1",
like(rawtext, "%error2%"),"error2"
) | chart count by Description

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-12-2016 06:15 PM

Alright. For raw your should use _raw ie

 index=MRM eventtype=MRM_ERROR |eval Description=case(like(_raw, "%error1%"),"error1",like(_raw, "%error2%"),"error2") | chart count by Description

Ideally if the field is not available , you should extract the field using field extraction techniques in splunk

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX
http://docs.splunk.com/Documentation/Splunk/6.1/Search/Extractfieldswithsearchcommands
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Createandmaintainsearch-timefieldextract...

Happy Splunking!
Reply
Solved! Jump to solution

tkasim
New Member
‎01-12-2016 08:24 PM

Thank you so much.

My plan is to turn the most frequent errors into fields. The above is a great starting point. Thanks for the links, just what I needed 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...